The first bug to kill a social network

A year ago today, I sent out the first edition of this newsletter. Two hundred and twenty-three issues later, I’m even more excited to make it than I was when I started. To all 5,128 of you, thanks for your time, your attention, and your feedback. I’m learning so much from you every day. Here’s to year 2.

There are bad bugs, and there are worse bugs. But until this week, there had never been a bug that killed a social network. Then the Wall Street Journal reported that a glitch had exposed private Google+ profile information to third-party developers between 2015 until earlier this year. A few hours later, the network — which once claimed 135 million users — was dead.

For most of its seven years, Google’s effort to build a Facebook-style social network served mostly as a punchline. The company regularly touted suspiciously massive user numbers, but aside from a few pockets of enthusiasts, Google+ never managed to find a place in people’s lives the way Gmail, YouTube, or other Google services did.

Google attempted to reinvent Plus several times, most recently as a kind of modern spin on message boards. And one part of Plus, which focused on helping you organize your photos, thrived once it spun out into a separate service. But mostly it was a wild goose chase — the most prominent example of Google’s many failed attempts to build a true social network. And it will be forever remembered as the social network that shut down over a security glitch — one that it didn’t tell us about until it was discovered by journalists.

Why didn’t Google fess up at the time? Here’s what it told the Journal:

In weighing whether to disclose the incident, the company considered “whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” he said. “None of these thresholds were met here.”

As my colleague Russell Brandom notes in a good piece, this wasn’t a “breach” in the legal sense of the word. There are good reasons not to require companies to issue a public disclosure every time they find a simple vulnerability, without any evidence that it was exploited. (Chief among them: it can incentivize them to stop looking so hard.) Still:

After Facebook’s painful fall from grace, the legal and the cybersecurity arguments seem almost beside the point. The contract between tech companies and their users feels more fragile than ever, and stories like this one stretch it even thinner. The concern is less about a breach of information than a breach of trust. Something went wrong, and Google didn’t tell anyone. Absent the Journal reporting, it’s not clear it ever would have. It’s hard to avoid the uncomfortable, unanswerable question: what else isn’t it telling us?

And yet Google seemed to shrug off all those worries on stage Tuesday, when its executives appeared to announce the company’s fall hardware lineup. There was a new phone, a tablet, and a competitor to the Echo Show and Facebook Portal that distinguishes itself by omitting a camera.

There was no discussion of Google+.

That speaks to how dramatically the company has shifted since its social network was born — and why, despite their similar advertising businesses, Google and Facebook occupy such different places in consumers’ minds.

Google has focused consistently on being a utility. It builds powerful services that don’t require an understanding of your family structure or your friend relationships. Google Maps iterates constantly in search of the perfect commute; Gmail adds automatic replies to speed up your inbox; Google Photos absorbs all the pictures on your phone and uses machine learning to understand their contents and make them searchable.

Google gives us sincerely new and useful things. And so, when we learn that it has exposed our data inadvertently, we might be more likely to give them a pass.

At Facebook, on the other hand, the prime directive is still user growth. The company talks about a shift to foster more “meaningful” connections, but in practice this simply means growing different parts of its product suite. Facebook is useful, but it is useful mainly in the way that a phone book is useful, and after you have reached a certain number of friends that usefulness plateaus.

Its biggest hit products in recent years — Instagram and WhatsApp — have been acquisitions. The new features it adds are often imported from other social networks. Its News Feed is essentially an entertainment product, but as a mirror for our times, it is often more distressing than entertaining.

It gives us less, we like it less, we trust it less.

I’m oversimplifying, of course. But I once spoke with someone had worked at both Google and Facebook who described the difference between how those two companies are perceived in exactly those terms.

Sometimes a company misses the boat on a trend, and regrets it forever. In the case of Google+, I suspect many executives wish the company had simply avoided building a true social network altogether. David Byttow, who worked on the project and is now at Snap, put it this way: “As a tech lead and an original founding member of Google+, my only thought on Google sunsetting it is… FINALLY.”

Here’s a great story from Kevin Poulsen and Spencer Ackerman that asks: why hasn’t Russia made more obvious attempts to interfere in the midterm elections?

Today the troll factory is using a mix of surviving accounts and new ones to do what it’s always done, spread fake news and fan division on Twitter, said Ryan Fox, a former NSA official now serving as COO of the smear-fighting startup New Knowledge. It’s also sneaking back onto Facebook, which discovered and deleted a fresh batch of fraudulent IRA-linked profiles and group pages in July. So far, though, none of the accounts are doing anything special for the election. “Lately, it’s been Kavanaugh all day, all the time,” said Fox.

“My assessment of the situation is they’re having to reconstitute. I also would assume that because most of their accounts were taken down that they don’t have the same robustness available,” Fox said.The indicted Russian businessman who funded the IRA is now pouring resources into a new venture called USA Really, a Russian site dedicated to pushing anti-American propaganda. Unlike the IRA’s deceptive websites and Facebook groups, USA Really doesn’t disguise itself as a domestic U.S. entity, and it has real people on its masthead. In the short term, that makes it less effective at influencing Americans, but it also makes the site harder to target with a rational social media policy. Fox thinks that model is the future of Russia’s information operations. “They’re out in the open now,” said Fox. “You can’t just call them out as Russian bots. You have to get into a debate about who counts as a journalist.”

Mark Mazzetti, Ronen Bergman, David D. Kirkpatrick and Maggie Haberman have the tale of how Rick Gates, a top Trump campaign official, requested proposals from an Israeli company to create fake digital identities as part of its campaign strategy:

The campaign official, Rick Gates, sought one proposal to use bogus personas to target and sway 5,000 delegates to the 2016 Republican National Convention by attacking Senator Ted Cruz of Texas, Mr. Trump’s main opponent at the time. Another proposal describes opposition research and “complementary intelligence activities” about Mrs. Clinton and people close to her, according to copies of the proposals obtained by the New York Times and interviews with four people involved in creating the documents.

Ben Gomes runs search for Google. Publicly, he has called Project Dragonfly “an exploration.” But privately, he wanted it completed “as soon as possible,” Ryan Gallagher reports, in a damning new story based on a transcript of Gomes’ comments to his team.

Gomes, who joined Google in 1999 and is one of the key engineers behind the company’s search engine, said he hoped the censored Chinese version of the platform could be launched within six and nine months, but it could be sooner. “This is a world none of us have ever lived in before,” he said. “So I feel like we shouldn’t put too much definite into the timeline.”

In the midst of a small-scale employee revolt over Project Dragonfly, Google decided not to compete for the Pentagon’s cloud-computing contract, Naomi Nix reports:

“We are not bidding on the JEDI contract because first, we couldn’t be assured that it would align with our AI Principles,“ a Google spokesman said in a statement. "And second, we determined that there were portions of the contract that were out of scope with our current government certifications.”

Ryan Broderick travels to Sao Paulo to try to understand how the electorate is using WhatsApp:

WhatsApp is also a nightmare for fact-checkers. Nieman Lab called it a “black box of viral misinformation.” Brazil’s political activists, especially on the far right, have been extremely aggressive about using it to organize. Last year, Movimento Brasil Livre (MBL), or “Free Brazil Movement,” a right-wing pro-Bolsonaro youth movement, was the subject of an investigation by one of the country’s biggest papers, which reported from inside one of their WhatsApp groups. The paper discovered that MBL was using WhatsApp groups like “MBL merchants” or “MBL lawyers” to spread their content — including rumors and fake news. BuzzFeed News has reached out to MBL for comment.

In a Discord chat server called “/pol/Nation” — named for the controversial 4chan imageboard — more than 3,000 users participate in a rolling multimedia chat extravaganza of Hitler memes, white nationalist revisionist history, and computer game strategy. And in a voice-over-IP chatroom within the server, users keep up a steady chatter about the same subjects. It’s like a cutting-edge, venture-backed version of its namesake; 4chan on steroids.

The next time Facebook does something to smother Instagram and you find yourself asking why, remember these data points:

Last quarter, Instagram generated an estimated $2 billion, or about 15 percent, of Facebook’s $13 billion in ad revenue, according to estimates from Andy Hargreaves, a research analyst with KeyBanc Capital Markets. Hargreaves expects Instagram to grow to about 30 percent of Facebook’s ad revenue in two years, as well as nearly 70 percent of the company’s new revenue by 2020 — driving the majority of Facebook’s growth.

Snap Inc. “is quickly running out of money” and may need to raise capital by the middle of next year, according to one analyst:

In order to reach Chief Executive Officer Evan Spiegel’s goal of profitability in 2019, Snap would need to grow “massively faster” than expected and cut costs aggressively, analyst Michael Nathanson wrote. He expects a loss of more than $1.5 billion in 2019 as Snap looks to rebuild its user base.

Snopes, the fact-checking site, explains that the hoax appears to reference fears about “cloned” Facebook accounts, where would-be scammers copy the name, profile picture, and basic information from a real account to create a second, nearly identical account on Facebook. Then, they send a bunch of friend requests to the original account’s friend list, to try to scam the person’s unsuspecting friends into granting access to their personal information by accepting the request.

A Facebook spokesperson said in an emailed statement that the company had “heard that some people are seeing posts or messages about accounts being cloned on Facebook,” messages that they likened to a chain letter or email. Although account cloning is a real thing, the volume of messages spreading across Facebook don’t reflect any actual spike in cloned accounts on the service

Amid a broader and somewhat mysterious app crackdown in China, Bullet Messenger, a Chinese messaging app that surged in popularity in the past few months, is no longer available in Apple’s App Store, Juro Osawa reports.

Today in the increasingly popular genre of “Instagram changes everything” stories: the gym.

The gym selfie, experts say, is more than just a visual brag or photo-driven pep talk. Social media is fundamentally changing the way we work out—and the way we see ourselves in the mirror. In a recent study, professors Tricia Burke and Stephen Rains found that individuals who saw more workout posts in their feeds were more likely to feel concerned about their own bodies, especially if the posts came from a person they felt looked similar to them. This means that even a passive scroll through Instagram can be more about stoking self-consciousness, in oneself and in others, than providing motivation—and that we internalize these lessons more easily than we think. “If people become preoccupied with their weight, that could manifest itself in less healthy ways,” Burke told me.

Can you really detect a phenomenon as abstract as bullying using artificial intelligence? Instagram says it can now:

Interestingly, Instagram says it’s not just analyzing photos captions to identify bullying, but also the photo itself. Speaking to The Verge, a spokesperson gave the example of the AI looking for split-screen images as an example of potential bullying, as one person might be negatively compared to another. What other factors the AI will look for though isn’t clear. That might be a good idea considering that when Facebook announced it would scan memes using AI, people immediately started thinking of ways to get around such filters.

Along with the new filters, Instagram is also launching a “kindness camera effect,” which sounds like it’s a way to spread a positive message as a method to boost user engagement. While using the rear camera, the effects fill the screen with an overlay of “kind comments in many languages.” Switch to your front-facing camera, and you get a shimmer of hearts and a polite encouragement to “tag a friend you want to support.”

Here’s a win for IGTV: magazine publisher Meredith is developing a slate of 10 original series for Instagram’s 3-month-old experimental vertical TV app, the first of which will premiere later this year.

The most interesting nugget in this Josh Constine update on Workplace from its first-ever user conference: while more than 30,000 organizations are customers, Facebook hasn’t updated that number in a year. It suggests that the product has been slow to catch on during a trying year for the parent company.

Google launched many new things today, including a phone, a tablet, and a competitor to the Facebook Portal and Echo Show that is most notable for its lack of a camera. Read about the biggest announcements here.

Charlie Warzel says that Facebook Portal is only explicable in the context of Americans’ apathetic view toward their own privacy:

It’s also further confirmation that Facebook isn’t particularly sorry for its privacy failures — despite a recent apology tour that included an expensive “don’t worry, we got this” mini-documentary, full-page apology ads in major papers, and COO Sheryl Sandberg saying things like, “We have a responsibility to protect your information. If we can’t, we don’t deserve it.” Worse, it belies the idea that Facebook has any real desire to reckon with the structural issues that obviously undergird its continued privacy missteps.

But more troubling still is what a product like Portal says about us, Facebook’s users: We don’t care enough about our privacy to quit it.

It stands to reason that if Facebook cannot reliably secure its flagship product — Facebook itself — then the company should not be trusted with experimental forays into wildly different products, i.e. physical ones. Securing a software platform that serves 2.23 billion users is an extremely challenging task, and adding hardware to that equation just complicates existing concerns.

You don’t have to know the technical ins and outs of security to make secure choices. Trust is leverage — demand that it be earned. If a product doesn’t pass the smell test, trust that feeling. Throw it out. Better yet, don’t invite it onto your kitchen counter to begin with.

Navy veteran Pieter Hanson became a Twitter sensation on Monday night, after his mother tweeted a photo of him in his dress uniform claiming Hanson was “afraid to go on solo dates,” because of “the current climate of false sexual allegations.” Hanson created a legendary Twitter handle — @thatwasmymom — and in a literally perfect first tweet, disavowed her comments and claimed himself an ally of women in their struggle for equality.